Exchange Web Services Push Notifications can be used to gain unauthorized access

Scenario

Consider the following scenario:

You are running Exchange Server.

You have enabled Exchange Web Services (EWS).

Push Notifications are enabled and used in your environment.

Cause

When a client subscribes to Push Notifications from Exchange Server, the notifications that are sent to the client include NTLM information that could be used to authenticate as the server that is running Exchange Server. This information was previously included to allow an authenticated response to subscribed clients. Only Push Notifications are affected. Pull and Streaming Notifications are unaffected.

Workaround

To work around this scenario and prevent information from being misused, define a throttling policy that prevents EWS Notifications from being sent to subscribed clients. Although only Push Notifications are subject to this behavior, a throttling policy affects Push, Pull, and Streaming Notifications equally.

Note This workaround causes some clients to not function correctly. This includes Outlook for Mac, Skype for Business, native iOS mail clients, and some other third-party clients. It may also include custom LOB applications.

Resolution

Microsoft has changed the notifications contract that is established between EWS clients and servers that are running Exchange Server not to allow authenticated notifications to be streamed by the server. Instead, these notifications are streamed by using anonymous authentication mechanisms. Because a client would have to authenticate to establish the subscription, this approach is considered to be an appropriate and necessary design to protect the credentials and identity of the server. After this change, clients that rely on an authenticated EWS Push Notification from the server that is running Exchange Server will require a client update to continue to function correctly.

This change in behavior becomes effective in the following Exchange releases: